I am sys admin working with a development team who is extending a publically accessible .net web app that currently uses forms authentication with usernames/passwords (hashed) stored in a sql database. The developers would like to move from crystal reports to SRSS and they tell me that AD authentication is a requirement for credentials to be shared betwen SRSS and the webapp. Their proposal is to have the webapp create/modify AD accounts in a AD domain setup specifically for this purpose. The webapp and SRSS servers will be in the same domain. The domain credentials used to create/modify the user will be stored in the web config and an API will be called with the credentials.

I don’t like the idea but I am having a hard time persuading them not to use this architecture. Are there any PCI controls or controls in similarly respected control frameworks that prohibit this architecture? Or am I making a mountain out of an ant hill?

It is a pretty hairy design, especially if its designed to continue using SQL to store the users. Now, migrating to using AD for all users, and letting the currently logged in user access SSRS with the given token is a pretty standard architecture. That way you don't ever store credentials.